Description
Missing Authorization vulnerability in vgdevsolutions Checkout Gateway for IRIS checkout-gateway-iris allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Checkout Gateway for IRIS: from n/a through <= 1.3.
Published: 2026-02-20
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Missing authorization in the vgdevsolutions Checkout Gateway for IRIS plugin allows attackers to exploit incorrectly configured access control levels, enabling unauthorized users to access or manipulate checkout functionality. This broken access control can lead to unauthorized reads or modifications of transaction data without requiring user credentials. The issue is identified as CWE-862, a classic example of missing or improper authorization.

Affected Systems

Affected: vgdevsolutions’ Checkout Gateway for IRIS plugin, all releases up to and including version 1.3. Users running any version from the initial release through 1.3 are vulnerable.

Risk and Exploitability

The CVSS score of 6.5 indicates a medium severity impact. The EPSS score of less than 1% suggests a low but non‑zero likelihood of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. Exploitation would require the plugin to be installed and an attacker to target the exposed endpoints, likely without special privileges, as the access control is incorrectly enforced. The primary risk is unauthorized manipulation of checkout transactions rather than remote code execution.

Generated by OpenCVE AI on April 29, 2026 at 11:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Checkout Gateway for IRIS to a version newer than 1.3, such as v1.4 or later, to apply the vendor’s fix.
  • Ensure that all plugin endpoints, especially those handling checkout data, are protected by role-based access controls and can only be accessed by administrators.
  • If the plugin is not essential, disable or uninstall it to reduce the attack surface.
  • Enable logging and monitor access logs for the plugin’s endpoints for any unauthorized or suspicious activity.

Generated by OpenCVE AI on April 29, 2026 at 11:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Vgdevsolutions
Vgdevsolutions checkout Gateway For Iris
Wordpress
Wordpress wordpress
Vendors & Products Vgdevsolutions
Vgdevsolutions checkout Gateway For Iris
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in vgdevsolutions Checkout Gateway for IRIS checkout-gateway-iris allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Checkout Gateway for IRIS: from n/a through <= 1.3.
Title WordPress Checkout Gateway for IRIS plugin <= 1.3 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Vgdevsolutions Checkout Gateway For Iris
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:01:17.928Z

Reserved: 2025-12-19T10:17:09.987Z

Link: CVE-2025-68542

cve-icon Vulnrichment

Updated: 2026-02-24T21:28:30.927Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:11.640

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-68542

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T11:15:09Z

Weaknesses